[strongSwan] Discrepancy in distinguished name for x.509 authentication
Tobias Brunner
tobias at strongswan.org
Fri Jan 18 11:21:11 CET 2019
Hi Yogesh,
> To make it work I had to configure 'E' for emailAddress in rightid field
> of ipsec.conf.
Hm, that seems strange.
> I know it is not a big issue and it is working for me with 'E', but
> ideally it should work with exact Subject of x.509 certificate which has
> 'emailAddress' as the field.
When parsing the strings these identifiers are just mapped to an OID for
that particular RDN and E and emailAddress both map to the same OID.
There is really no difference between the two. I even added unit tests
to confirm this, see [1] and [2].
Do you have logs that actually show what is compared in each of these
two cases? (The binary encoding of the identities is logged on level 3
in CFG.)
Regards,
Tobias
[1]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/tests/suites/test_identification.c;h=feadcc9d93b3e4f2516134000188a6fba7df02f2;hb=220b0cb29cd0315ee62378ea98ddff00d1e0d36c#l466
[2]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/tests/suites/test_identification.c;h=feadcc9d93b3e4f2516134000188a6fba7df02f2;hb=220b0cb29cd0315ee62378ea98ddff00d1e0d36c#l633
More information about the Users
mailing list